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•Introduction 
•Program Overview 
•NVT Architecture 

•Technology Assessment to Integrate Risk Tools 
•FuzzyCLIPS 

•Task #6 Proof-of-Concept Prototype 
•Future: RiskA/ulnerability Visualization 
•Plans for the Next Quarter 
•Open Discussion 
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Program Overview 
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Program Objective 
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•To investigate technologies for the enhancement of 
automated risk assessment tools in the areas of 
usability, productivity and capability 

•In particular, investigate enhancement through 

-New methods to perform knowledge solicitation 

-A normalized system representation satisfying the needs of 

several existing risk assessment tools 
-The fusion of various tool outputs into a single report 
-The graphical display of the resulting vulnerability data 
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Project Manager 
Ronda Henning 



Program Administrator 
Linda Phan 



Contracts 
Eva Harris 



Principal investigator 
Eric Meijer 
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Software Engineer 
John Farreil 



Software Engineer 
Kevin Fox 



Software Engineer 
Cliff Miller 
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Expenditures/Staffing 
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•Program underrunning projections 

-Planned underrun, to allow us to support new staff 

-Addition of John Farrell full time 1 December 
•Expertise in Fuzzy CLIPS and G2 
•Lots of incremental build/prototyping experience 

-Changes in contracts and finance staffing - 
•Benign, uncomplicated program for new staff 
•State of current incremental funding: 

-Current authorized funding of $490,000 

-Out of money in January 

-$83,000 of planned incremental funding in GFY 1999 for 
contract completion. 
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Program Schedule , ^f^SSS^ 



•Contract began 1 April 1997 

•24 month schedule, divided into 7 tasks 

-Task - Knowledge Solicitation 

-Task #2 - Systen} Visualization and Validation 

-Task #3 - Selection and Application of Automated 

Reasoning Technologies (Risk Assessment Tools) 
-Task #4 - Vulnerability Quantification 
-Task #5 - Scaling of Indentified Vulnerabilities 
-Task #6 - Proof-of-Concept Prototype 
-Task #7 - Final Report 
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Milestone Schedule , '^^^i^E 



Insert Here NVT Schedule 
from MS Project 
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Milestone Schedule 
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Insert Here NVT Schedule 
from MS Project 
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Current Status 
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•Task #1 - Completed 

-Resulted in selection ofOpenViewas discovery technology 

-Also have NET VIZ in NVT Lab 
•Task #2 - On-going 
•Task #3 - Completed 

-Resulted in selection ofANSSR, ISS, and RAM 
•Task #4 - Vulnerability Quantification 
•Task #5 - Underway 

-Resulted in selection of Fuzzy Expert System technology to 
integrate results from risk assessment tools 

•Task #6 - Underway 

-Currently addressing issues with ANSSR 
•Task #7 - Final Report 
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NVT Architecture 
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NVT Architecture Goals 
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•Establish a framework that allows for the use of 
current and future risk assessment plug ins 

•Establish the foundation for a system that can resolve 

Ontological and Language issues 
•Provide the user with a clear understanding of their 

present risk based on the most effective use of the 

current plug in set 

•Provide the user with the capability to determine the 
most effective means to mitigate their risk 
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Technology Assessment 

to Support 
Integration of Multiple 
Risk Assessment Tools 
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Technology Assessment 
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•Assessed technology to implement a framework to 
support automated integration of multiple risk 
assessment tool outputs 

•Focused on technologies that could best support our 
goal of integrating the products of multiple 
commercial applications into a common framework 

•Examined a variety of products that exist in the 

market place today, including the inputs and outputs 
those products require 
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Technology Assessment , ^f^SS^ 

•Analyzed a variety of technologies including: 

-Expert Systems 
-Database Systems 
-Neural Network/learning 
-Fuzzy Logic 
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Expert Systems 



•Characterized by the developer's ability to model an 
expert in the technology for the particular problem 
domain 

•Our framework is not focused on any particular 
problem domain 

-Intent is to establish a generalized capability to allow a 
variety of tools to cooperatively work together 

-Specific problems within our framework may require an 
expert system 

-However, overall architecture did not fit the expert system 
profile 
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Database Systems 



•A collection of bits 

•Provides a very rich capability for viewing those bits 
and establishing relationships between bits 

•Problem is the user must have an understanding of 
the proper way to query the database 

•With a variety of interdependent tools, the issue is not 
where are the bits, but what the bits mean 

•Storage of bits will be isolated and normalized, but it 
is clear that the foundation for the framework cannot 
be a database system 

-Foundation for our framework is the ability to categorize 
bits, establisti relationships, and ask the right questions 

-The formulation of the right question (query) is beyond the 
scope of a traditional database 
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Neural Network/Learning Systems f^SSSI^ 



•Provide a technological foundation for learning 

-Learn in a modelless environment from relationships of data 
•The problem with application to NVT is the lack of any 
real training sets (underlying relationships) 

-We do not l<now atiead of time, and ttierefore cannot teach, 

what the correct answer may be 
-Correct answer is also dependent on a variety of dynamic 

data sources that comes from the interaction of the system 

with itself and the real world 
-Without the ability to categorize the response to a given set 

of inputs, leaming technologies do not provide the solution 

to our problem 



next level solutions 



NVT TIM #5. r 



Neural Network/Learning Systems ^^l^SSS 



•However, some components of our framework may 
benefit from the ability to learn 

•As the foundation continues to evolve it may be 
possible for the system to predict, based on past 
experience, the most applicable tool sets 

•This predictive capability, however, is beyond our 
current goal of establishing the framework itself 
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Fuzzy Logic Systems 
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•Difficulty with many of other technologies is the 
assumption that a single, or very few, experts or 
cases can resolve problems presented to the system 

-\n the real world, probability that a variety of experts will be 

in close agreement is very low 
-As the system complexity increases, this probability reduces 

significantly 

•Another aspect of fuzzy systems that is different is 
the partitioning of the solution space 

-Typically in most systems, the solution is an evaluation of 

information into true or false statements 
-However, real world information is rarely an issue of true or 

false, but is in fact a generalization or degree of truth 
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•Composed of rules, however, the rules do not need to 
be precise 

-Can be changed by the system itself 

•Purpose of the rules is not to make a decision per rule 

-Instead, it is to accumulate evidence for, or against, a set of 
probable solutions 

•Fuzzy rules are evaluated in parallel to provide an 
accumulated confidence for a particular outcome 
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•An indication that fuzzy technology is applicable can 
be determined by evaluating the problem space 
itself 

-If the problem has a high degree of natural complexity ore 
self-referential architecture, this is indicative of a fuzzy type 
problem 

-The ability of fuzzy models to handle uncertainty and 
possibilities much better than conventional models is a 
significant benefit to us 

•Another indicator of a fuzzy type problem is if the 
model will undergo regular revisions 

•Fuzzy systems have a much higher degree of 
robustness and fault tolerance 
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Fuzzy Logic Systems 
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•Provide a high level of flexibility and knowledge 
representation that can handle the significant 
ambiguities that are inherent in our architecture 

•Work well, conceptually, within NVT because of their 
ability to provide a robust and predictable response 
in the presence of imprecise information 

•Given the scope of the problem being addressed, it is 
clear that in many instances we will have a wide 
range of imprecision 

-One of our goals is to allow the framework to minimize the 
imprecision by the application of knowledge extracted from 
the tools and fed back into the system itself 

•Also have the ability to explain their behavior, which 
in our risk assessment framework is critical 
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•Within fuzzy technology, several different areas were 
examined 

-Fuzzy SQL 
-Knowledge Mining 
-Fuzzy Cognitive Maps 
-Fuzzy Expert Teclinology 
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•Based on the premise that multi-criteria, multi-expert 
decision making can lead to a best-fit answer 

•Primary benefit is its ability to use, and assimilate, 
knowledge from a variety of sources 

•For NVT 

-Expect to have both conflicting and collaborating experts 

•Must be able to combine those opinions 
-Need ability to support a set of independent fuzzy models 

rather than continuing to create a more complex set of 

rules for a single expert 
-Also need to carefully manage our rule space or the system 

will become impossible to update within a short period of 

time 
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Fuzzy Expert Technology 
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•This technology is applicable because: 

-An expert exists for each tool planned for inclusion in the 
system 

-The problem itself is fuzzy, in that it has ambiguities and 

must deal with partial information 
-We can incrementally learn and apply new technologies as 

the system grows 
-We believe we can identify valid membership functions for 

the mapping of data to concept and concept to knowledge 

•An upcoming activity is to identify concepts and their 
valid membership functions 
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An introduction to 
FuzzyCLiPS 

Cliff Miller 



next /eve/ solutions 



NVT TIM #5. r 



Blectronic Systems 



•What is CLIPS? 

-Expert System Tool 

-Developed by Software Technology Branch, NASA 
-LISP-like syntax 
-C language 



•What is FuzzyCLIPS? 

-An extension of CLIPS 

-Provides a mechanism to incorporate Fuzzy constructs into 
the expert system 
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CUPS & FuzzyCUPS 
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•Elements of CLIPS and FuzzyCLIPS 

-CLIPS Shell (provides inferencing capabilities) 

- Functions, variables, commands, etc. 

- OOP Support 



•CLIPS Shell 

-Fact-list: Global Memory for data 

-Knowledge Base: Rule base (contains rules) 

-Inference Engine: Controls overall execution of 

rules 
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CUPS - Facts & Rules 
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•Facts 

-May be asserted at run-time or pre-defined and initialized 
•(sky blue) 

•(node 17 RESPONDING) 

•Rules 

-Rules may incorporate tieuristic knowledge or experience 
-Rules follow the familiar IF-THEN construct, except they are 

fired by the inference engine based on pattern matching 
-Rule activation results from a new matching pattern entity or 

if an existing pattern entity is retracted and reasserted 
-If necessary, rule salience may be explicitly declared 
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CUPS - Rules 
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•Using Rules 

(defrule my_rule_name "Optional comment" 
(pattern_1) 

(pattern_2 listjtem anotherjistjtem) 
(pattern_n) 

=> 

(assert (some action) 
(assert (n number of actions))) 

(defrule comfortjzone 
(temperature 73) 

=> 

(printout t "We're comfortable!!!)) 



CUPS - Variables 
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•Variables 

-Variables can be pattern matched, manipulated, and 
reasserted as new facts: 

(defrule get-solutlon-strength 

(cleaner-volume ?cleaner-oz) 
(water-volume ?water-oz) 

=> 

(assert (solution-strength (/ ?cleaner-oz (+ ?cieaner-oz 
?water-oz)))) 
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deftempiate Contruct 



electronic Systems 



•A deftempiate is similar to a record or a structure in 
some other programming languages. 

(deftempiate cleaning_solution "optional comment" 
(slot product 

(allowed-symbols WINDEX AMMONIA FANTASTIC) 

(default WINDEX)) 
(slot concentration 

(type FLOAT) 

(default 0.50)) 
(multislot used-for 

(type symbol) 

(default 7DERIVE))) 

(assert (cleaning_solutlon (product WINDEX) (used_for 
windows glass))) 
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•If Then 

{if (=7x0) 

then 

(printout t "zero" crif) 
else 

(printout t "non-zero" crIf)) 

•While 

(while (> ?x 0) 

(printout t ?x " bottles of beer on the wall" crIf) 
(bind ?x (- ?x 1))) 
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Biec^onrc Systems 



•Functions 

-May be provided by CUPS or user defined via deffunction 
-External functions written in anottier language may be 
called 

•deffunction 

(deffunction <function-name> [optional comment] 

(?arg1 ?arg2 ...?argM [$?argN]) -.argument list Last one may 
(<action 1>) ;be optional multifield arg. 

(<action2>) ;action1 to 

;action(K-1) do not 
(<action(K- 1 ) >) ; return a value 

(<actionK>) ;only last action returned 
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Exam pie - NIM 



(reset) 

(defrule move 

7old_tum <- (mytum) 

?old_count <- (count ?cur_count) 
=> 

(retract ?old_tum) 
(retract ?old_count) 

(bind Tmodval (mod (- ?cur_count 1) 4)) 
( if (= 7cur_count 1) then 

(printout t Taice: 1 Total: 0 I lose" crif) 
else 

(if (= ?modvai 0) then 

(bind ?play (+ 1 (mod (random) 3))) 
else 

(bind ?play Tmodval)) 
(assert (count (- ?cur.count ?play))) 
(printout t Take: " ?play " Total: " (- 
7cur_count ?play) crIf) 
(assert (yourtum)))) 
(defrule start 
(inKial-fact) 
=> 

(Printout t Total; 23" crIf) 
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(defrule human 
?oid_tum <- (yourtum) 
?oid_count <- (count ?cur_count) 

=> 

(retract ?old.tum) 

(retract ?old_count) 

(bind Tplay (read)) 

( if (= 23 (- ?cur_count ?play)) then 

(assert (count ?cur_count)) 

(assert (mytum)) 
else 

(if (< ?play 4) then 
(if (= Tplay ?cur_count) then 

(printout t Take: 1 Total: 0 I win" crif) 
else 

(assert (count (- ?cur_count Tplay))) 
(printout t Take: " Tplay " Total: " (- 
Tcur_count Tplay) crif) 

(assert (mytum))) 
else 

(assert (count Tcur.count)) 
(assert (yourtum))))) 



ni/ass&rt4BQia0t 23)) 
(assert fvourtumi)) 
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•CLIPS Object Oriented Language (COOL) 

-Provides standard OOP constructs including: 
•abstraction 
•encapsulation 
•inheritance 
•polymorphism 



% 
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CUPS Classes 




•All classes are children of one or more super-class 

•Inheritance by specialization (e.g. horse is-a mammal) 
is directly supported. 

•Multiple inheritance is supported 

•Some handlers (known as methods in some other 
OOLs) are predefined under the CLIPS provided 
USER class; other handlers are user defined 

•Handlers are invoked by sending messages to objects 
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Object-Oriented Constructs ^^15^J!^ 



(defclass CLEANING.SUPPLY (is-a USER) (role abstract) 

(slot condition (create-accessor read-write) (default CLEAN))) 

(defclass SCRUBBRUSH (is-a CLEANING.SUPPLY) (role concrete) 
(slot bristlejength (create-accessor read-write))) 

(make-instance Bobs.brush of SCRUBBRUSH 

(bristlejength 1) 
(condition DIRTY)) 

(send [Bobs_brush] get-bristlejength) 

1 

(send [Bobs.brusli] get-condition) 
DIRTY 

(defmessage-handier CLEANING.SUPPLY wash () 

(dynamic-put condition CLEAN)) 
(send [Bobs_brush] wash) 
(send [Bobs_brush] get-condition) 
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•An extension of standard CLIPS that allows for the 
use of fuzzy facts and fuzzy rules which contain 
both membership functions and certainty factors 

•Provides an expanded syntax for the representation 
of facts and rules 

•Provides commands and features to facilitate working 
with fuzzy sets 



next level solutions 



FuzzyCLIPS Concepts 



•The world often does not fit into discreet "all or 

nothing" categories 
•Fuzzy logic relies upon the degree of truth of a given 

statement, or the degree of membership within a set 
•An expert often uses vague rules with inexact hedges 

-"If the window is SUGf-ITHLY dirty, use a LITTLE Windex" 

-A fuzzy expert system can handle such rules well 



Dirtyness 
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Fuzz yCLIPS , ^^li^SS 



•Certainty Factors 

-Degree of certainty of facts or rules is easily expressed in 
FUZZYCIips 

((assert (floor very dirty)) CF 0.8) 

•Membership functions 

-FuzzyCLIPS membership functions may be defined using: 
•A set of discrete singleton points (this can represent triangular 
membership functions, trapezoidal membership functions, or 
any other function that may be represented or approximated 
by a set of line segments) 
•One of three predefined standard curves 
•Linguistic expressions 
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FuzzyCLIPS Examples 



(deftemplate ffz_dirtyness 

0 100 mm ; lower and upper bounds, units (millimeters of dirt) 
((clean (0 1) (10 0)) 
(getting_grungy (5 0) (20 1) (60 0)) 
(filthy (10 0) (50 1)))) 

(deftemplate surface 

(slot type (type SYMBOL)) 

(slot dirtyness (type FUZZY-VALUE fz.dirtyness))) 

(assert (surface (type window) (dirtyness getting_grungy)) CF 0.8) 
(assert (surface (type floor) (dirtyness (50 0) (52 1) (55 0))) CF 0.9) 

(defrule clean_grungy_window 

(declare (CF 0.7)) 
— (surface (type window) (dirtyness getting_grungy)) " 
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Want More Information ? , ^f^ES!^ 



•CLIPS 

-http://www.ghg.net/clips/CUPS.html 

•FuzzyCLIPS 

-http://ai.iit.nrc.ca/fuzzy/fuzzy.html 
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Task #6 
Proof'Of'Concept Prototype 
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Task #6 
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•The integration of three distinct risl( analysis/ 
vulnerability analysis reasoning engines into a 
proof-of-concept prototype of the Network 
Vulnerability Visualization Architecture, currently 
known as the Network Visualization Tool (NVT) 

•Activities 

-Acquire FuzzyCLIPS & Develop Simple Examples 
•Obtain the latest version of the FuzzyCLIPS development 
environment 

•Have the team become familiar and/or re-acquainted with the 
tool through the development of some simple examples that 
we can possibly apply to later phases of the program 
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Task #6 Activities , ^^ISS^ 



•Acquire/Study Vulnerability Assessment Tools 

-Obtain the three vulnerability tools selected 
-One tool was chosen to represent each of the different 
categories of vulnerability tools 
•ANSSR was selected as a prime example of a legacy 

reasoning engine 
•ISS Intemet Scanner was selected as an example of a "live" 

vulnerability tool 
•RAM was selected because of our experience using it for large 
scale, highly complex problems such as the power 
distribution system and because it was selected for the 
Secret and Below Initiative (SABI) 
-Once in-house, learn the tools requirements for 
input/output/reasoning, to determine the most appropriate 
way to create individual tool "plug-ins" 
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Task #6 Activities 
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•Design Initial Prototype 

-Usmq the preliminary architecture curreritly in place, 
translate this high-level design to a much more concrete, 
cohesive design that can be "built-to" 

-This involves the laying out of the NVT design to a per- 
functional module level, so the team can do incremental 
prototyping and we can track levels of completion 



Task #6 Activities 



electronic Sys^tm 



•Decide Test Scenario/System 

-NVTis supposed to execute against any network topology 
-What we need to use for testing purposes is a few sample 
networks 

-These can be segments of the Harris network, the AFRL 
network, or a C3i system net such as CTAPS or GTN 

-The ideal would be to work with a network that the customer 
can identify with, and use for his own subsequent 
demonstration purposes 
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Task ff6 Activities , 



•Acquire Basic System Information (for Demo Team) 

-When the candidate demonstration application has been 

selected, obtain the networf< data 
-For example, a "canned" ping/discovery session, a live 

discovery session, or a sit down and draw the network 

session 
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Task #6 Activities 
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•Complete Graphical User Interface (GUI) 

-Determine the GUI, do not invent new visualization 
techniques, but focus on applying work already done in 
other related areas, such as data fusion, message 
understanding, virtual reality, etc. 

-Understand that this probably at least a two part GUI, one 
for input and one for output. 
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Task #6 Activities ^ f^^S^ 

•Develop Fuzzy Knowledge Expert for 3 Risk Tools 

-Fuzzy Expert works on multiple levels, or layers of data 
manipulation 

•For example, there is one level, that of output combination to 
result in a meaningful, close to plain English output result 

•There is another layer, that looks for missing information 
related to data ingest operations, where a single tool may not 
have all the information, but another tool might have a way to 
compensate 

•Also, there may be layers for criticality or relevance of data as 

well for each tool 
•The question is how to most effectively address the various 

layers with some degree of cohesion while preserving 

system modularity and maintainability 
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Task #6 Activities 
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•Integration and Test (in Melbourne) 

-The final integration/demonstration testing, ttiat determines 
removal and/or documentation of the problems 

•Ship Equipment to AFRL/RRS 

-Pack it all up, and send it out 
•Deliver, Demonstrate and Test (in Rome) 

-Take it to Rome and make it happen for final sell-off 
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Proof'Of'Concept Prototype 
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Prototype GOTS/COTS , ^f^tUSS^ 
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Automatic Discovery 



eSectronic Systems 




'[Hubl {HP, 1 Z-pwt Hull; B) In 



SupeMaor J y nprelcctBd 



next /eve/ solutions 



NVTTIM#5. r 



Automatic Discovery 
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•Given the IP address of the default router for the 
network, HP OpenView can search for computers 
and other devices attached to the network 

•OpenView performs an active search, pinging 
possible IP addresses on the network 
-A66s whatever response information it receives to its 
network map 
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Manual Network Diagram , ^^1£S^ 
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Manual Network Diagram 
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•Provides a method to draw a proposed network with a 

graphical user interface supporting drag-and-drop 
•Properties of each network node can be edited 

- A66 details as required to provide complete logical network 
planning 

•Can represent an entire network on a map by using a 
subnetwork icon 

-Detailed map of the subnetwork can be linked to this icon 
and be displayed by double-clicking the subnetwork icon 
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Network Node Evaluation 
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•Show attack probabilities and vulnerabilities for any 

node on a network, even a subnetwork 
•Provide methods for the user to describe the types of 

attacks and security risks that are of concern 
•Allow user to fine-tune this information for various 

nodes on the network as well as establish a default 

value for the network 

-This fine-tuning provides a greater level of detail for 
FuzzyCUPS to provide a more accurate summary of the 
risk assessment 
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Btectranic Systems 



Proof-of-Concept Prototype 

Risk Assessment Tools 
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§f\nms 

Etectrome Systems 



•Procured and installed in NVT Lab 

-Written in ObjectWorks Smalltalk version 4. 1 

•Encountered challenges in integrating this tool under Visual 

Smalltalk due to Smalltalk compatibility issues 
•Solved most compatibility issues by using VisualWorks 
Smalltalk, a readily available successor to ObjectWorks 
-ANSSR has now been successfully built under VisualWorks 3.0 
•Testing is ongoing, but outlook for use of ANSSR under 
VisualWorks 3.0 is promising 
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ANSSR Integration Issues 



X £iectronic Syst&ns 



ObjectWorks 
Smalltalk v4.1 



Evaluation Copy 



VlsualWorks 
Smalltalk v3.0 



NVTLab 



Visual 
Smalltalk v3.11 




Image 



Classes, 
Methods, Code, ^ 
Minor Porting 
Issues 



Code, etc., 
[More Significant} 
Porting Issues^ 



NVTLab 



ANSSR 
v2-2 
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iSS internet Scanner , ^f^SSS^ 



•Purchased, installed in NVT Lab, and tested on the 
test network 

•No major problems associated with integration and 
use in NVT are anticipated at this time 
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RAM 



•Developed by NSA (R52/P5) 

-10 Modeling and Simulation Group 
-Probabilistic Fault Tree Analysis Language 
-Version 1.0 - Excel Spreadsheet with 2 "helper apps" 

•What's Best! 

•Insight 

-Used in SABI Risk Analysis Assessment 
-Harris/NSA working CHAD A for use of RAM in NVT 

•Pending NSA legal review 
-NSA also having a COTS vendor integrate it 
-Applied Decision Analysis (ADA) building it into DPL 
-Beta due out sometime in December 
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•Recommend we use the Excel Version 

-Stable 

-Good experience base at NSA 
-Eliminates procurement lead time 

•Nobody at ADA has a price for the product 
-Unclear if/when training will be offered 
-Future maintainability of product is in question 

•Expected, but unsure of release cycle 

•Unsure of maintenance costs 
-RAM the spreadsheet is recognizable 
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^ Efectronic Sys^ms 



Future 

Risk/Vulnerability Visualization 
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3D Visualization 



•VisualEyes 

-SG\P\amm 

-V\e\N 3-D and n-D data sets 
-Information Retrieval application 
-Open platform 

•RiskA/ulnerability Trade-off Analysis 

-A system architecture is assigned values for security, 
functionality, performance, availability and survivability 

-Display similar to text retrieval 

•Cube represents a particular architecture design 
•Two 3D views displayed simultaneously 

-Security, functionality and performance 

-Security, availability and survivability 
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£{eetromc Systems 



Plans for Next Quarter 



next level solutions 



NVT TIM #5, r 



Plans for Next Quarter 



•Acquire/Study Vulnerability Assessment Tools 

-Resolve issues with ANSSR 

-Study ISS Internet Scanner 

-Get CRADA completed and Acquire RAM 
•Design Initial Prototype 
•Decide Test Scenario/System 

•Acquire Basic System Information (for Demo Target) 
•Complete Graphical User Interface (GUI) 
•Develop Fuzzy Knowledge Expert for 3 Tools 
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£tectroaie Systems 



Open Discussion 



NVT TIM #5, #• 



Issues /Notes , ^ 
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Action Items , '^^iSSL 



•Open Action Items 

-RLAI #4: AFIWC to work through Dwayne Main to provide access to 

their vulnerability/risl< assessment tools 
-RU^I #5: Dwayne Allain to investigate providing the Air Tasldng Mission 

Planning video 

•New Action Items 
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Backup Material 
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eiectronic Systems 



Fuzzy Technology 
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Fuzzy Technologies , t^^^S!^ 



•Within fuzzy technology, several different areas were 
examined 

-Fuzr^ SQL 
-Knowledge Mining 
-Fuzzy Cognitive Maps 
-Fuzzy Expert Tectinology 
•We will touch on each area and define its applicability 
to our problem 
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Fuzzy SQL 



BlectrwtK Systeaa 



•Helps solve one problem with traditional database 
queries, the inability to precisely define the query 

-Basis of a relational database is the establishment of a 
variety of independently created and nnaintained tables 

-Tables are a set of rows and columns that are defined by a 
schema 

-Problem with the database is that depending on the query I 
may get many elements, or none 

-In either case, I do not get a clear understanding of how 
many possible answers existed or how well the returned 
answers fit my query 
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Fuzzy SQL 



•A fuzzy SQL query resolves this by understanding to 
wliat extent each possible answer "fits" (in fuzzy 
terms, has membership in) the solution space 

•While fuzzy SQL helps resolve some issues of 

ambiguity for us, we have a high degree of coupling 
between the fuzzy rules and the database schema(s) 

•This coupling may not facilitate an extensible 
framework, a critical design criteria 

-\Ne also would lack control over the rule representations 
because of the high dependency on SQL 
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^ Electronic Systems 



•Knowledge mining is the establishment of a fuzzy 

system that generates its own rules based on a 

given set of data 
•Such knowledge mining applications are usually built 

from a variety of technologies including neural 

networks and genetic algorithms 

•When considering knowledge mining we evaluated 
the many drawbacks of such a system and how they 
would effect our long term goals 
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Know/edge Mining , ^^liSfS^ 

•Knowledge mining systems suffer from tlie following 
drawbacks: 

-Lack of meaning to rules because they were system 
generated 

-No explanation as to how the rules were defined 
-Requires a large pool of information 
-Combinatorial increases in computational power 
requirements if not carefully managed 

•For these reasons, it did not seem feasible to rely on 
this technology to provide our foundation 

•In addition, knowledge mining is more applicable to 
problems that have a mathematical basis, where the 
derived rule sets can be expressed as complex 
equations 
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Fuzzy Cognitive lyiaps 



MAJUUS 

Electronic Systems 



•Fuzzy Cognitive Maps were considered as a method 
to establish tool causal flow within our system 

•FCM's are directed cognitive maps with nodes that 
would identify concepts (Tools) and the edges 
indicate the degree to which one tool would cause 
or depend upon another tool 

•This technology provides a powerful capability to 
represent complex relationships 
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Fuzzy Cognitive Maps 



eloctronic Systems 



•The usefulness of the capability is diminished, 
however, because of the following limitations that 
have become known: 

-FCM's represent causal relationships between concepts, 
but are decoupled from the actual data 

-Complex time relationships cannot be represented well 

-As the system needs to run to steadystate connectivity 
density, the FCM grows exponentially based on the 
number of concepts 

•For these reasons, this particular technology did not 
seem applicable to our problem 

•The general consensus is that for any problem that 
can be solved by FCM's, fuzzy expert systems would 
provide a better solution 
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